All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, ... See more...
Don't know If I am correct but - As your business day starts at 5 PM (D) and ends at 5 PM (D+1), you need to adjust _time accordingly and you should extract the latest execution time for Job1, Job2, and Job3 within this custom day window. Based on the current time, determine whether a job is PLANNED or EXECUTED. | makeresults count=1 | eval now=relative_time(now(), "@d+17h") # Adjusting the custom day window (5 PM as the start of the day) | append [search index=your_index sourcetype=your_sourcetype earliest=-1d@d+17h latest=@d+17h | eval job_status=if(_time <= now, strftime(_time, "Executed at %H:%M"), "PLANNED") | stats latest(_time) as job_time latest(job_status) as job_status by job_name ] | eval job_status=if(isnull(job_status), "PLANNED", job_status) | table job_name job_status   If _time is stored in epoch format, no need to convert it. Adjust the @d+17h if your business day has different start hours. Note: Please use the above query using your own index and sourcetype name.  
I see. I'd really like option one to work here, and it did work for a user that was using Splunk on-prem: [abuseipdb_control_coll] enforceTypes = true field._key = string field.value = string r... See more...
I see. I'd really like option one to work here, and it did work for a user that was using Splunk on-prem: [abuseipdb_control_coll] enforceTypes = true field._key = string field.value = string replicate = true   But this same configuration was apparently not working for a user on Splunk Cloud Victoria, whatever the reason (see the previous example). I was unsure whether it was a problem with eventual consistency, or what exactly.
@richgalloway then how can I achieve this requirement please let me know. I don't have any coding knowledge at this moment. 
@splunklearner wrote: @richgalloway IOW, if you add "Source=123456" to the search filter with the intention of restricting results from index=A, it also will restrict the results from index=B and... See more...
@splunklearner wrote: @richgalloway IOW, if you add "Source=123456" to the search filter with the intention of restricting results from index=A, it also will restrict the results from index=B and all other indexes. ---> I didn't get this point. I will be creating a role A and selecting index A and then restricting with search filter (source=123456). So ideally user A will be assigned role A and he will have access to index A and source 123456. These source are unique and only one role for this source. This role may be assigned to multiple users. But how index B be involved here? Please clarify. My presumption is that user A may sometimes need to search other indexes than just indexA.  If he chooses to search indexB then the search filter still applies, even though it may not make sense for that index.  This is why I agree with @isoutamo about avoiding search filters.
What and how to check in btool? Please guide me sir
That’s also my understanding for it. Of course you should check what your environment have for it. Btool is good command to check it.
Based on your example and those in vendor’s documentation, your issue is that you are using only streaming commands before abuseipdbcheck and also it is streaming command. This are meaning that all p... See more...
Based on your example and those in vendor’s documentation, your issue is that you are using only streaming commands before abuseipdbcheck and also it is streaming command. This are meaning that all processing are done in indexers (unlike makeresults and vendor’s examples which are running on SH side). In your case your search try to use kvstore lookup on indexers, but unless you have mark it for replication to indexer (default is false), it cannot find it and fail.  Now you have two options: define that collection will replicate to indexers force execution to SH side using non streaming command or use e.g. localop command https://docs.splunk.com/Documentation/Splunk/9.4.1/SearchReference/Localop which force execution to SH  
@isoutamo So here default is true right? So will it take OR by default?  When we have roleA and roleB which have srcFilters  roleA: source=A roleB: source=B Then splunk add those in every SPL quer... See more...
@isoutamo So here default is true right? So will it take OR by default?  When we have roleA and roleB which have srcFilters  roleA: source=A roleB: source=B Then splunk add those in every SPL queries which these users do like input: index=a real SPL: index=a source=A  then if user has both roles assigned to him/her  input: index=a real SPL: index=a source=A OR source=B so by default it will be OR right? Please confirm?
info_min_time comes from the addinfo command. The values it provide comes from whatever timeframe you have set your search to run with. Without seeing your complete dashboard, it is hard to say what ... See more...
info_min_time comes from the addinfo command. The values it provide comes from whatever timeframe you have set your search to run with. Without seeing your complete dashboard, it is hard to say what tokens you are using for your search. But since you already appear to have a time selection input, with a token name of field1, why not use field1.earliest as your panel search earliest and field1.latest as your panel search latest?
Yes, the error is: .../apps/abuseipdb_app/bin/splunklib/client.py", line 1384: UrlEncoded('abuseipdb_control_coll') Which is actually a Python KeyError for the UrlEncoded name of the "control_coll"... See more...
Yes, the error is: .../apps/abuseipdb_app/bin/splunklib/client.py", line 1384: UrlEncoded('abuseipdb_control_coll') Which is actually a Python KeyError for the UrlEncoded name of the "control_coll" holding user data (in essence, "collection not found"). The search query causing this is: index=fortianalyzer action="accept" | dedup srcip | eval is_internal=`isInternalIPv4(srcip)` | search is_internal=False | abuseipdbcheck ip=srcip | where abuseConfidenceScore=100 | table srcip, abuseConfidenceScore   Interestingly, directly running the abuseipdbcheck on the search head works: |makeresults |abuseipdbcheck ip=127.0.0.1
The binary is used for verifying the signature of the license key. We have already contacted all vendors listed on VirusTotal. Only the Windows version is affected. If you do not utilize Windows, yo... See more...
The binary is used for verifying the signature of the license key. We have already contacted all vendors listed on VirusTotal. Only the Windows version is affected. If you do not utilize Windows, you can safely remove the binary. Furthermore, if you are a customer of SentinelOne or another vendor, kindly contact them to flag the binary as safe.
I just checking this from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf where you found this. It seems that currently you could select if this operation is AND or OR. This w... See more...
I just checking this from https://docs.splunk.com/Documentation/Splunk/latest/Admin/Authorizeconf where you found this. It seems that currently you could select if this operation is AND or OR. This will helps and maybe these are currently more usable? [default] srchFilterSelecting = <boolean> * Determines whether a role's search filters are used for selecting or eliminating during role inheritance. * If "true", the search filters are used for selecting. The filters are joined with an OR clause when combined. * If "false", the search filters are used for eliminating. The filters are joined with an AND clause when combined. * Example: * role1 srchFilter = sourcetype!=ex1 with selecting=true * role2 srchFilter = sourcetype=ex2 with selecting = false * role3 srchFilter = sourcetype!=ex3 AND index=main with selecting = true * role3 inherits from role2 and role 2 inherits from role1 * Resulting srchFilter = ((sourcetype!=ex1) OR (sourcetype!=ex3 AND index=main)) AND ((sourcetype=ex2)) * Default: true  
In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forward... See more...
In addition to the other answers, you may also want to check that your forwarder is not having permission problems in reading the Security wineventlog. If you install the unprivileged windows forwarder and do not add the SplunkForwarder virtual user to the "Event Log Readers" group, then it may fail to subscribe to the Security event log channel. Search: (assuming that your forwarder IS sending internal logs, but not windows event logs) index=_internal host=<host> errorCode=5 "unable to subscribe to Windows Event Log"  
Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a H... See more...
Depending on whether you want to do this directly in Splunk, and what modules you have installed in your Splunk Enterprise deployment, it may be practical to schedule a scripted input which sends a HTTP request to the download page, searches for the <span class="version">9.4.1</span> text, then extracts the value in the middle. You can then set up a scheduled alert if the version does not match your current version which can be retrieved using "| rest services/server/info".
this app is compatible with Splunk enterprise NOT splunk cloud. You will have to open a case with splun and ask if it can be vetted or check github.com if there any.
real SPL: index=a source=A AND source=B AND foobar I am confused here why AND will come. Do we have any documentation on this to prove this to our team mates?
You could do the same thing to the MaxExecutionTime by adding 2 more rows in the search: ... | eval colorCode2 = if(MaxExecutionTime > Treshold, "#D94E17", "#55C169") ... | eval MaxExecutionTime = m... See more...
You could do the same thing to the MaxExecutionTime by adding 2 more rows in the search: ... | eval colorCode2 = if(MaxExecutionTime > Treshold, "#D94E17", "#55C169") ... | eval MaxExecutionTime = mvappend(MaxExecutionTime,colorCode) ...  And another format section: <format type="color" field="MaxExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> So now it reads: <row> <panel> <html depends="$hidecsspanel$"> <style> #ColoredTable table tbody td div.multivalue-subcell[data-mv-index="1"]{ display: none; } </style> </html> <title>TEST XRT Execution Dashboard</title> <table id="ColoredTable"> <search> <query>index="aws_app_corp-it_xrt" sourcetype="xrt_log" "OK/INFO - 1012550 - Total Calc Elapsed Time" | rex field=source "(?&lt;Datetime&gt;\d{8}_\d{6})_usr@(?&lt;Username&gt;[\w\.]+)_ses@\d+_\d+_MAXL#(?&lt;TemplateName&gt;\d+)_apd@(?&lt;ScriptName&gt;[\w]+)_obj#(?&lt;ObjectID&gt;[^.]+)\.msh\.log" | rex "Total Calc Elapsed Time\s*:\s*\[(?&lt;calc_time&gt;\d+\.\d+)\]\s*seconds" | stats avg(calc_time) as AverageExecutionTime max(calc_time) as MaxExecutionTime by ScriptName, ObjectID, TemplateName | eval AverageExecutionTime = round(AverageExecutionTime, 0) | lookup script_tresholds ObjectID ScriptName MaxLTemplate as "TemplateName" OUTPUT Threshold AS "Treshold" | eval colorCode = if(AverageExecutionTime > Treshold, "#D94E17", "#55C169") | eval colorCode2 = if(MaxExecutionTime > Treshold, "#D94E17", "#55C169") | table ScriptName, AverageExecutionTime, MaxExecutionTime, Treshold, ObjectID, TemplateName, colorCode | search $ScriptName$ $ObjectID$ | sort - AverageExecutionTime | eval AverageExecutionTime = mvappend(AverageExecutionTime,colorCode) | eval MaxExecutionTime = mvappend(MaxExecutionTime,colorCode) | fields - colorCode</query> <earliest>$earliest$</earliest> <latest>$latest$</latest> </search> <option name="refresh.display">progressbar</option> <format type="color" field="AverageExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> <format type="color" field="MaxExecutionTime"> <colorPalette type="expression">mvindex(value,1)</colorPalette> </format> </table> </panel> </row>
hello @Knust : try this query: |rest services/server/info |eval new_version = "9.4.0" ```replace it with the version you're upgrading to``` |eval current_version = version |eval old_version = ... See more...
hello @Knust : try this query: |rest services/server/info |eval new_version = "9.4.0" ```replace it with the version you're upgrading to``` |eval current_version = version |eval old_version = if(new_version > current_version, "yes", "no") |table current_version new_version old_version on the table: if the old_version column says yes, you need to upgrade if it says no no need you can also rename the the way you would prefer by using | rename command please let me know if this helps.
Maybe this old post helps you? https://community.splunk.com/t5/Splunk-Search/dashboard-time-token-with-multiple-ealiest-latest-search/m-p/710873
If you have test / dev environment you could easily add some roles which have different search filters. Assign those to your test users and use job inspector to see how splunk creates final SPL for th... See more...
If you have test / dev environment you could easily add some roles which have different search filters. Assign those to your test users and use job inspector to see how splunk creates final SPL for those queries.